In fact, your servers must prove their trustworthiness to any client operating system or application whenever someone attempts to log in to a secure app (like Yammer).

And trust is complicated.

There's also an entire certification hierarchy. Something called the root certification authority certificate sits at the top of it (despite what its name might imply). It issues certificates to "authorize" other, subordinate certificates called intermediate certificates. Together, all of these form a certification chain.

You've probably guessed that any intermediate certificates in the chain are pretty important, too—so important that Android requires that they're sent in a specific order:

First, make sure you've put the root certification authority certificate in the Trusted Root Certification store, which is on your AD FS server(s).

Then, put any intermediate certification authority certificates in the Intermediate Certification store on the Local Computer, which you'll find on your AD FS and Web Application Proxy (WAP) servers. (Run certlm.msc to open the console on a Windows computer.)

To make step 2 easier to understand, think of it this way: If servers were continents, then

the Local Computer would be a country in those continents;

the certification store would be a state (or province), and

intermediate certificates would be the state population.

On a Mac computer, these categories, or folders, vary slightly. Use Spotlight to search for the "keychain access" console. For information on keychain access, see Keychain Access overview on the Apple Support site.

If your organization already has its certification hierarchy squared away, then you could be encountering a small issue on your Security Token Service (STS) server, explained below.

Downloading additional certificates is a common misstep.

There are a couple of things that could have gone wrong with your SSL certificate(s), but the most common culprit is a server configuration that's missing an intermediate certification authority, the piece that signs your server's certificates with its private key. This triggers an AuthenticationException error when Yammer, or Office 365, tries to display the login page.

Someone might have downloaded additional certificates from the authorityInformationAccess field of an SSL certificate, which prevents the server from passing on the entire certificate chain from AD FS. Android doesn't support additional certificate downloads from this field.

Before troubleshooting, here's how you can be sure that this is an issue.

You should see a list of SSL certificates. Look for a certificate labeled "extra download." This error signals failed authentication, indicating that AD FS couldn't pass along the entire certificate chain.

Successful authentication is marked as "sent by server."

Here's how you fix an extra download.

Follow these steps to configure your Security Token Service (STS) and Web Application Proxy (WAP) servers and send the missing intermediate certificate(s) together with the SSL certificate. First, you'll need to export the SSL certificate.

Run certlm.msc to open the certificates console. Only an administrator or user who has been given the proper permissions can manage certificates.

In the console tree in the store that contains the certificate to export, click certificates.

In the details pane, click the certificate that you need to export.

On the Action menu, click all tasks, and then click export. When the Certificate Export Wizard starts, click next.

Select yes, export the private key, and click next.

Select Personal Information Exchange - PKCS #12 (.PFX), and accept the default values to include all certificates in the certification path if possible. Also, make sure that the export all extended properties checkboxes are selected.

If required, assign users/groups, and type a password to encrypt the private key that you are exporting. Type the same password again to confirm it, and then click next.

On the File to Export page, browse the location where you want to put the exported file, and give it a name.

Using the same certificates console (certlm.msc), import the *.PFX file into the computer's personal certificate store.

Finally, if your organization uses active load balancers to distribute traffic between servers, these servers should also have their local certificate stores updated (or at least verified).

If the above steps didn't work for you, look into these similar issues, or contact Yammer Support: